ANSPDCP fines operator Dumitru Viorel Focșa for publishing personal data on Facebook: GDPR breach and confirmed recurrence
Investigation background
In 2025, the Romanian Data Protection Authority (ANSPDCP) concluded an investigation into Dumitru Viorel Focșa, following a complaint submitted by a data subject. The complaint concerned the unauthorized disclosure of personal data on a public Facebook (Meta) page.
The investigation revealed violations of the core GDPR principles of lawfulness, fairness and transparency.
GDPR Violations Identified
1. Violation of the principles of lawfulness and transparency – Article 5(1)(a) GDPR
The operator published, in a public Facebook post:
- the data subject’s full name
- phone number
- other identifying information
This disclosure was made without consent and without any applicable legal basis.
2. Lack of a lawful basis for processing – Article 6(1) GDPR
ANSPDCP found that the operator could not demonstrate any valid legal basis for processing the data.
None of the conditions under Article 6(1) applied:
- no consent
- no legal obligation
- no legitimate interest
- no contract
- no public interest
Therefore, the processing was deemed unlawful.
Fine imposed
The operator received a fine of:
4,977.30 lei (1,000 Euro)
based on the BNR exchange rate at the time of sanction.
Repeat violation
ANSPDCP highlighted that the operator had been previously sanctioned for a similar GDPR breach, indicating:
- lack of corrective measures
- absence of internal procedures
- disregard for GDPR obligations
Recurrence is considered an aggravating factor.
Impact and key takeaways
This case demonstrates the risks associated with improper use of social media in a public or professional context.
Operators must ensure:
- no personal data is published without a lawful basis
- data subjects’ rights are respected
- staff are regularly trained on GDPR
- public posts do not expose personal information
Social media platforms do not exempt operators from GDPR responsibilities.
Conclusion
The Dumitru Viorel Focșa case reinforces that:
- lawfulness and transparency are mandatory
- personal data cannot be disclosed arbitrarily
- repeated violations lead to increased sanctions
- GDPR applies fully to social media activity
Compliance is essential to protect individuals’ rights and avoid penalties.